Truth About Computer Security Hysteria
New estimate puts viruses/hacking at $1.6 TRILLION
Tuesday, 29 August 2000
ANTIVIRUS EXPERTS RACED last week to find copies of a supposedly "new" version of the
Pokémon Pikachu worm. (Gesundheit.) Instead, they sent each other a byte-for-byte clone of a virus first
seen in May. At any rate,
the media's momentary uproar seems out of
place if you study
this threat report.
Pikachu hasn't done a peekaboo, if you know what I mean. But hey, forget about Pokémon for a moment. Did you know
viruses & hacking now exceed $1.6 trillion dollars? My
cries about "billions of dollars" remain
unanswered; now I gotta start attacking "trillions." These figures appeared in the August edition of
Information Security magazine:
This $1.6 trillion estimate leads to one overwhelming conclusion. We must
dismantle the Internet as an abject failure. Pimply schoolkids really do qualify
as national security threats!
(A plug for Vmyths.com appeared in the same issue. I love irony.) The numbers come from a "global survey"
conducted by InformationWeek, fielded by PriceWaterhouseCoopers LLP, and researched by Reality
Research & Consulting. I quote from a highbrow press release:
- $1.6 trillion: estimated worldwide loss last year due to downtime resulting from security breaches
and virus attacks. [Source: InformationWeek]
- $266 billion: estimate cost of damages caused by viruses and computer cracking in U.S. firms last
year, representing 2.5 percent of the nation's Gross Domestic Product (GDP). [Source:
In total, the bill to U.S. firms this year for viruses and computer hacking will amount to $266 billion, or
more than 2.5% of the nation's Gross Domestic Product (GDP). The price tag worldwide soars to $1.6 trillion.
"These estimates are based on the broadest sampling ever achieved in the security industry," noted Rusty Weston,
Editor of InformationWeek Research and informationweek.com. "The findings indicate that viruses are far more
disruptive to organizations than most people realize. Lost productivity will undoubtedly force many IT
organizations to reassess their network defenses and security policies."
According to John DiStefano, principal researcher on the study at Reality Research & Consulting, which assisted
InformationWeek Research on the project, the $266 billion figure represents the impact of viruses on U.S.
businesses with more than 1,000 employees, or about 50,000 firms. "These are companies with infrastructures of IT
professionals who, because of the dollar impact, are increasingly tracking the problem and can provide an accurate
assessment of the scope of the issue. In reality, the true impact of viruses on U.S. business, including
medium-sized companies and small businesses, is much greater," DiStefano explained.
Think of it this way: if you live in the U.S. and spend $40 at the bijou, then $1 went to repair computers damaged
by a hacker or virus. (Probably damaged by the kid running the movie projector, I'll bet.) DiStefano actually
believes he made a conservative estimate.
Oddly, PriceWaterhouseCoopers doesn't seem to agree with the kahunas at Reality Research & Consulting and
InformationWeek. ("Reality Research." I love irony.) PWC's ad in the same issue of
Information Security magazine says "last year, computer hackers cost businesses 45 billion
A paltry $45 billion? Man, that's bus fare. So what gives? I've yet to find a security vendor who touts
"trillions" in a press release.
Associated Press technology writer Cliff Edwards went on to distill it for the world: "A study ...
estimated businesses worldwide will lose more than $1.5 trillion this year because of computer viruses spread
through the Internet." Amazingly, his very next paragraph claims ILoveYou "affected about 45 million
computer files at a cost to companies of $2.61 billion."
Pull out your solar calculators, folks. Time for some quick math.
The U.S. federal government spent roughly $142 billion per month in fiscal year 1999, compared to hackers
& viruses which siphon roughly $107 billion per month worldwide. America could wipe out its national debt
in seven years if they could tap into the RR&C/InformationWeek estimate. The $266 billion
U.S. estimate for hacking & viruses almost equals the $276 billion spent on U.S. defense in fiscal year
AP's Edwards would report 575 ILoveYou catastrophes in 465 days just to match the
RR&C/InformationWeek estimate. If every single human being on the planet owned a computer, they'd all
get infected four times each in 15 months. (Hmmm, I'm definitely not doing my part. Who's picking up my slack?)
If we instead use the Lloyd's of London estimate of $15 billion for ILoveYou, then we'd only see three
Internet catastrophes every two weeks.
Such is the damage caused by hackers & viruses according to RR&C/InformationWeek.
Now let's compare their estimate to Hurricane Andrew, the worst natural disaster in U.S. history. It temporarily
wiped Miami off the map at a cost of roughly $26 billion. Andrew must slam into Florida almost once a week to
equal the impact of viruses & hackers. Every hurricane to hit the U.S. since Camille, combined, doesn't
match what hackers & viruses did worldwide in the last 15 months.
Now let's compare the RR&C/InformationWeek estimate to the ultra-rich. According to
Forbes, you can buy out every one of the world's billionaires. All of them! And you'll have enough
coins left to purchase General Electric.
I can't find a security vendor who touts "trillions" in a press release. What gives? "Billions" seems like
bus fare these days...
Simple math, folks.
The U.S. estimate alone for hacking & viruses rivals the entire U.S. defense budget
-- if you believe the fearmongers.
THE RR&C/INFORMATIONWEEK ESTIMATE leads to one overwhelming conclusion. We must
dismantle the Internet as an abject failure. A different company's press release, for example, claims the entire
worldwide e-commerce market will generate $160 billion this year. Translation: hackers & viruses cost $10 for
every $1 of sales on the Internet.
These "sobering" statistics prove the PC and the web indeed qualify as national security threats.
We should nationalize AOL/Time-Warner in an effort to eliminate computer networking. And we obviously should take
computers out of the classroom. Pimply e-terrorists shouldn't carry automatic laptop weapons to school. I say we
bring back the #2 pencil.
"But Rob," you moan, "you're comparing apples to oranges again. We only measure monetary damage in a hurricane.
This RR&C/InformationWeek study counts up lost productivity." Okay then, who's at fault here? Me?
Bah. I didn't compare lost productivity to the U.S. GDP.
"Lost productivity" seems relevant here, so let's talk. How many trillions of productivity dollars did United Air
Lines steal from Americans in the last few weeks alone? Why doesn't the FBI raid some UAL
cockpits? You should see the recent LaptopLane bills I
racked up just at O'Hare airport. I want my lost productivity back!
Speaking of lost productivity... I might as well moan about a company named Cobalt. (Skip to the last two
paragraphs if you want the punchline immediately.) Their stock trades publicly and they sell a "slim server" known
as the Qube2. I purchased one for my network early this year — and I've suffered for it ever since.
My problems began almost immediately. The Linux kernel crashed at least once a week. It stopped supporting DHCP
in mid-March. In late June the Qube2 stopped supporting DNS. In July it bit the dust after I installed Cobalt's
buggy OS upgrade. I spent $149 for a spare-in-the-air — a refurb which crashed two hours after I opened the
package. (Yes yes yes, that's when I learned my lesson about the buggy OS upgrade.) The refurb crashes when it
tries to restore backups containing my critical business files. This Qube2 had the gall to crash during a
Cobalt technician's telnet session.
So I spent another $114 for an OS restore CD (only sold separately). I just wanted to roll back to a more stable
version of Linux so I could restore critical business files. Sadly, it doesn't work. The technicians believe I
received bad media, yet they won't send me a new one. (Cobalt doesn't replace CDs as a policy.) In hindsight, I
should've bought another refurb instead of the CD.
I remain unable to restore the OS on a refurbished Qube2 replacement box which crashes regularly. How much money
have I lost so far in terms of productivity? Let's see, $50 an hour times 1.21 crashes per week, times 6 months,
divided by the frustration factor, plus
$149+33, plus $99+15... for a grand total of $1,608,007.53. I view it as a conservative estimate, of course. In
reality, the true impact of Cobalt on my business is much greater.
Wow! If a million Cobalt users worldwide over the last 15 months suffered like I did, it would amount to a
whopping $1.6 trillion. Coincidence?
If a million Cobalt users worldwide over the last 15 months suffered like I did, it would amount to a whopping $1.6